NACK/Cmnt: [SRU][F][PATCH 2/2] nilfs2: fix use-after-free bug of struct nilfs_root

Stefan Bader stefan.bader at canonical.com
Mon Nov 14 09:13:29 UTC 2022 

On 11.11.22 19:56, Yuxuan Luo wrote:
> From: Ryusuke Konishi <konishi.ryusuke at gmail.com>
> 
> If the beginning of the inode bitmap area is corrupted on disk, an inode
> with the same inode number as the root inode can be allocated and fail
> soon after.  In this case, the subsequent call to nilfs_clear_inode() on
> that bogus root inode will wrongly decrement the reference counter of
> struct nilfs_root, and this will erroneously free struct nilfs_root,
> causing kernel oopses.
> 
> This fixes the problem by changing nilfs_new_inode() to skip reserved
> inode numbers while repairing the inode bitmap.
> 
> Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke at gmail.com>
> Reported-by: syzbot+b8c672b0e22615c80fe0 at syzkaller.appspotmail.com
> Reported-by: Khalid Masum <khalid.masum.92 at gmail.com>
> Tested-by: Ryusuke Konishi <konishi.ryusuke at gmail.com>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> (cherry picked from commit d325dc6eb763c10f591c239550b8c7e5466a5d09)
> CVE-2022-3649
> Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
> ---

This should be a thread with a cover email which indicates all target series.

-Stefan

>   fs/nilfs2/inode.c | 17 ++++++++++++++++-
>   1 file changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
> index bfc7ae219a8d..cd959f4378bc 100644
> --- a/fs/nilfs2/inode.c
> +++ b/fs/nilfs2/inode.c
> @@ -340,6 +340,7 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode)
>   	struct inode *inode;
>   	struct nilfs_inode_info *ii;
>   	struct nilfs_root *root;
> +	struct buffer_head *bh;
>   	int err = -ENOMEM;
>   	ino_t ino;
>   
> @@ -355,11 +356,25 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode)
>   	ii->i_state = BIT(NILFS_I_NEW);
>   	ii->i_root = root;
>   
> -	err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh);
> +	err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
>   	if (unlikely(err))
>   		goto failed_ifile_create_inode;
>   	/* reference count of i_bh inherits from nilfs_mdt_read_block() */
>   
> +	if (unlikely(ino < NILFS_USER_INO)) {
> +		nilfs_warn(sb,
> +			   "inode bitmap is inconsistent for reserved inodes");
> +		do {
> +			brelse(bh);
> +			err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
> +			if (unlikely(err))
> +				goto failed_ifile_create_inode;
> +		} while (ino < NILFS_USER_INO);
> +
> +		nilfs_info(sb, "repaired inode bitmap for reserved inodes");
> +	}
> +	ii->i_bh = bh;
> +
>   	atomic64_inc(&root->inodes_count);
>   	inode_init_owner(inode, dir, mode);
>   	inode->i_ino = ino;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221114/4740df1c/attachment.sig>

More information about the kernel-team mailing list